Cyber threats take aim at mobile

Computers still get attacked most, but cyber criminals are setting sights on mobile devices

Last month, the FBI put out a warning on two malware threats that would have been routine but for one thing. The cyberviruses targeted mobile phones and tablets running Google’s Android operating system.

Until recently, malicious software has been something only computer users worried about. Mobile devices had largely been free of attacks by cybercriminals.

But as smartphones and tablets have become powerful handheld computers with Internet access, the incidence of malware aimed at mobile devices is on the rise, cybersecurity experts say.

“We’re not only seeing more attacks, but more attention paid to mobile platforms,” said Howard Schmidt, former cybersecurity coordinator for the White House. “And the reason is the fact that these devices have become so popular. They have become the next target.”

Hackers are taking aim at mobile in part because there’s more valuable data on today’s smartphones and tablets, experts say. And as employees increasingly use their personal mobile devices for work — a trend known as Bring Your Own Device — the lure for hackers is likely to increase.

“Most people don’t think about the security risk on a mobile device like they would on a laptop or a desktop because they haven’t been conditioned that there are risks on these new platforms,” said Schmidt. “We look at the rich, robust capabilities these devices give us, but cyberprotection oftentimes is not in the front of our mind.”

Although cyberthreats are starting to pop up on mobile devices, the sheer number remains small compared with what’s out there targeting computers, experts say.

And in fact, there are fewer holes to exploit in some mobile operating systems. “They don’t rely on third-party software to do a lot of things, and even when they do, they don’t have the same security vulnerability,” said Patrik Runald, director of security research at San Diego’s Websense, which makes security software for large companies. “On mobile, when we are seeing attacks, they are often pure social engineering driven.”

Open platforms

Social engineering ploys, or “spear phishing,” typically use targeted emails and SMS (short message service) that attempt to trick people into downloading an infected application.

“Attackers do some reconnaissance,” said Runald. “They might know a person’s interests from looking at a Twitter feed or a Facebook profile. So let’s say they find out a person is a season-ticket holder to the Chargers. They could craft a message that said ‘Click here for an offer on season tickets for next year.’ ”

These social engineering attacks won’t work on some of the more tightly controlled mobile platforms. Apple iPhone owners, for example, can’t download apps from a source other than the Apple’s Apps Store without making some fairly advanced modifications to their phone. Apple also examines apps for sale in its store. So it’s hard for malware to get a foothold.

Google’s Android operating system, which has 65 percent market share for smartphones, is more open. It supports downloading apps from websites outside of Google’s Android Marketplace. There also are several different versions of the Android operating system in the marketplace, making it difficult to deploy a uniform patch to fix any problems.